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114tii CONGRESS 
1st Session 



H.R. 



To provide for the sharing of certain cyber threat intelligence and cyber 
threat information between the intelligence community and cybersecurity 
entities, and for other purposes. 



IN THE HOUSE OF REPRESENTATIVES 



Mr. RuPPERSBERGER introduced the following bill; which was referred to the 
Committee on 



A BILL 

To provide for the sharing of certain cyber threat intelligence 
and cyber threat information between the intelligence 
community and cybersecurity entities, and for other pur- 
poses. 

1 Be it enacted by the Senate and House of Represent a- 

2 tives of the United States of America in Congress assembled, 

3 SECTION 1. SHORT TITLE. 

4 This Act may be cited as the "Cyber Intelligence 

5 Sharing and Protection Act". 
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1 SEC. 2. FEDERAL GOVERNMENT COORDINATION WITH RE- 

2 SPECT TO CYBERSECURITY. 

3 (a) Coordinated Activities. — The Federal Gov- 

4 ernment shall conduct cybersecurity activities to provide 

5 shared situational awareness that enables integrated oper- 

6 ational actions to protect, prevent, mitigate, respond to, 

7 and recover from cyber incidents. 

8 (b) Coordinated Information Sharing. — 

9 (1) Designation of coordinating entity 

10 FOR cyber threat information. — The President 

11 shall designate an entity within the Department of 

12 Homeland Security as the civilian Federal entity to 

13 receive cyber threat information that is shared by a 

14 cybersecurity provider or self -protected entity in ac- 

15 cordance with section 1104(b) of the National Secu- 

16 rity Act of 1947, as added by section 3(a) of this 

17 Act, except as provided in paragraph (2) and subject 

18 to the procedures established under paragraph (4). 

19 (2) Designation of a coordinating entity 

20 FOR cybersecurity crimes. — The President shall 

21 designate an entity within the Department of Justice 

22 as the civilian Federal entity to receive cyber threat 

23 information related to cybersecurity crimes that is 

24 shared by a cybersecurity provider or self-protected 

25 entity in accordance with section 1104(b) of the Na- 

26 tional Security Act of 1947, as added by section 3(a) 
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1 of this Act, subject to the procedures under para- 

2 graph (4). 

3 (3) Shaking by coordinating entities. — 

4 The entities designated under paragraphs (1) and 

5 (2) shall share cyber threat information shared with 

6 such entities in accordance with section 1104(b) of 

7 the National Security Act of 1947, as added by sec- 

8 tion 3(a) of this Act, consistent with the procedures 

9 established under paragraphs (4) and (5). 

10 (4) Procedures. — Each department or agency 

1 1 of the Federal Government receiving cyber threat in- 

12 formation shared in accordance with section 1104(b) 

13 of the National Security Act of 1947, as added by 

14 section 3(a) of this Act, shall establish procedures 

15 to— 

16 (A) ensure that cyber threat information 

17 shared with departments or agencies of the 

18 Federal Government in accordance with such 

19 section 1104(b) is also shared with appropriate 

20 departments and agencies of the Federal Gov- 

21 eminent with a national security mission in real 

22 time; 

23 (B) ensure the distribution to other de- 

24 partments and agencies of the Federal Govern- 
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1 ment of cyber threat information in real time; 

2 and 

3 (C) facilitate information sharing, inter- 

4 action, and collaboration among and between 

5 the Federal Government; State, local, tribal, 

6 and territorial governments; and cybersecurity 

7 providers and self-protected entities. 

8 (5) Privacy and civil liberties. — 

9 (A) Policies and procedures. — The 

10 Secretary of Homeland Security, the Attorney 

11 General, the Director of National Intelligence, 

12 and the Secretary of Defense shall jointly estab- 

13 lish and periodically review policies and proce- 

14 dures governing the receipt, retention, use, and 

15 disclosure of non-publicly available cyber threat 

16 information shared with the Federal Govern- 

17 ment in accordance with section 1104(b) of the 

18 National Security Act of 1947, as added by sec- 

19 tion 3(a) of this Act. Such policies and proce- 

20 dures shall, consistent with the need to protect 

21 systems and networks from cyber threats and 

22 mitigate cyber threats in a timely manner — 

23 (i) minimize the impact on privacy 

24 and civil liberties; 
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1 (ii) reasonably limit the receipt, reten- 

2 tion, use, and disclosure of cyber threat in- 

3 formation associated with specific persons 

4 that is not necessary to protect systems or 

5 networks from cyber threats or mitigate 

6 cyber threats in a timely manner; 

7 (iii) include requirements to safeguard 

8 non-publicly available cyber threat infor- 

9 mation that may be used to identify spe- 

10 cific persons from unauthorized access or 

1 1 acquisition; 

12 (iv) protect the confidentiality of cyber 

13 threat information associated with specific 

14 persons to the greatest extent practicable; 

15 and 

16 (v) not delay or impede the flow of 

17 cyber threat information necessary to de- 

18 fend against or mitigate a cyber threat. 

19 (B) Submission to congress. — The Sec- 

20 retary of Homeland Security, the Attorney Gen- 

21 eral, the Director of National Intelligence, and 

22 the Secretary of Defense shall, consistent with 

23 the need to protect sources and methods, jointly 

24 submit to Congress the policies and procedures 
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1 required under subparagraph (A) and any up- 

2 dates to such policies and procedures. 

3 (C) Implementation. — The head of each 

4 department or agency of the Federal Govern- 

5 ment receiving cyber threat information shared 

6 with the Federal Government under such sec- 

7 tion 1104(b) shall— 

8 (i) implement the policies and proce- 

9 dures established under subparagraph (A); 

10 and 

11 (ii) promptly notify the Secretary of 

12 Homeland Security, the Attorney General, 

13 the Director of National Intelligence, the 

14 Secretary of Defense, and the appropriate 

15 congressional committees of any significant 

16 violations of such policies and procedures. 

17 (D) Oversight. — The Secretary of Home- 

18 land Security, the Attorney General, the Direc- 

19 tor of National Intelligence, and the Secretary 

20 of Defense shall jointly establish a program to 

21 monitor and oversee compliance with the poli- 

22 cies and procedures established under subpara- 

23 graph (A). 

24 (6) Information sharing relationships. — 

25 Nothing in this section shall be construed to — 
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1 (A) alter existing agreements or prohibit 

2 new agreements with respect to the sharing of 

3 cyber threat information between the Depart- 

4 ment of Defense and an entity that is part of 

5 the defense industrial base; 

6 (B) alter existing information-sharing rela- 

7 tionships between a cybersecurity provider, pro- 

8 tected entity, or self-protected entity and the 

9 Federal Government; 

10 (C) prohibit the sharing of cyber threat in- 

1 1 formation directly with a department or agency 

12 of the Federal Government for criminal inves- 

13 tigative purposes related to crimes described in 

14 section 1104(c)(1) of the National Security Act 

15 of 1947, as added by section 3(a) of this Act; 

16 or 

17 (D) alter existing agreements or prohibit 

18 new agreements with respect to the sharing of 

19 cyber threat information between the Depart - 

20 ment of Treasury and an entity that is part of 

21 the financial sendees sector. 

22 (7) Technical assistance. — 

23 (A) Discussions and assistance. — 

24 Nothing in this section shall be construed to 

25 prohibit any department or agency of the Fed- 
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1 eral Government from engaging in formal or in- 

2 formal technical discussion regarding cyber 

3 threat information with a cybersecurity provider 

4 or self-protected entity or from providing tech- 

5 nical assistance to address vulnerabilities or 

6 mitigate threats at the request of such a pro- 

7 vider or such an entity. 

8 (B) Coordination. — Any department or 

9 agency of the Federal Government engaging in 

10 an activity referred to in subparagraph (A) 

1 1 shall coordinate such activity with the entity of 

12 the Department of Homeland Security des- 

13 ignated under paragraph (1) and share all sig- 

14 nificant information resulting from such activity 

15 with such entity and all other appropriate de- 

16 partments and agencies of the Federal Govern - 

17 ment. 

18 (C) Sharing by designated entity. — 

19 Consistent with the policies and procedures es- 

20 tablished under paragraph (5), the entity of the 

21 Department of Homeland Security designated 

22 under paragraph (1) shall share with all appro- 

23 priate departments and agencies of the Federal 

24 Government all significant information resulting 

25 from — 



f:\VHLC\01 071 5\01 071 5.204.xml (58802211 ) 
January 7, 2015 (3:04 p.m.) 



F:\M14\RUPPER\RUPPER_001 .XML 



9 

1 (i) formal or informal technical dis- 

2 cussions between such entity of the De- 

3 partment of Homeland Security and a 

4 cybersecurity provider or self-protected en- 

5 tity about cyber threat information; or 

6 (ii) any technical assistance such enti- 

7 ty of the Department of Homeland Secu- 

8 rity provides to such cybersecurity provider 

9 or such self-protected entity to address 

10 vulnerabilities or mitigate threats. 

1 1 (c) Reports on Information Sharing. — 

12 (1) Inspector general of the department 

13 OF homeland security report. — The Inspector 

14 General of the Department of Homeland Security, in 

15 consultation with the Inspector General of the De- 

16 partment of Justice, the Inspector General of the In- 

17 telligence Community, the Inspector General of the 

18 Department of Defense, and the Privacy and Civil 

19 Liberties Oversight Board, shall annually submit to 

20 the appropriate congressional committees a report 

21 containing a review of the use of information shared 

22 with the Federal Government under subsection (b) 

23 of section 1104 of the National Security Act of 

24 1947, as added by section 3(a) of this Act, includ- 

25 ing — 
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1 (A) a review of the use by the Federal 

2 Government of sueh information for a purpose 

3 other than a cyberseeurity purpose; 

4 (B) a review of the type of information 

5 shared with the Federal Government under 

6 sueh subsection; 

7 (C) a review of the actions taken by the 

8 Federal Government based on such information; 

9 (D) appropriate metrics to determine the 

10 impact of the sharing of such information with 

11 the Federal Government on privacy and civil 

12 liberties, if any; 

13 (E) a list of the departments or agencies 

14 receiving such information; 

15 (F) a review of the sharing of such infor- 

16 mation within the Federal Government to iden- 

17 tify inappropriate stovepiping of shared infor- 

18 mation; and 

19 (G) any recommendations of the Inspector 

20 General of the Department of Homeland Secu- 

21 rity for improvements or modifications to the 

22 authorities under such section. 

23 (2) Privacy and civil liberties officers 

24 report. — The Officer for Civil Rights and Civil 

25 Liberties of the Department of Homeland Security, 
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1 in consultation with the Privacy and Civil Liberties 

2 Oversight Board, the Inspector General of the Intel- 

3 ligence Community, and the senior privacy and civil 

4 liberties officer of each department or agency of the 

5 Federal Government that receives cyber threat infor- 

6 mation shared with the Federal Government under 

7 such subsection (b), shall annually and jointly sub- 

8 mit to Congress a report assessing the privacy and 

9 civil liberties impact of the activities conducted by 

10 the Federal Government under such section 1104. 

11 Such report shall include any recommendations the 

12 Civil Liberties Protection Officer and Chief Privacy 

13 and Civil Liberties Officer consider appropriate to 

14 minimize or mitigate the privacy and civil liberties 

15 impact of the sharing of cyber threat information 

16 under such section 1104. 

17 (3) Form. — Each report required under para- 

18 graph (1) or (2) shall be submitted in unclassified 

19 form, but may include a classified annex. 

20 (d) Definitions. — In this section: 

21 (1) Appropriate congressional commit- 

22 tees. — The term "appropriate congressional com- 

23 mittees" means — 

24 (A) the Committee on Homeland Security, 

25 the Committee on the Judiciary, the Permanent 
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1 Select Committee on Intelligence, and the Com- 

2 mittee on Armed Sendees of the House of Rep- 

3 resentatives; and 

4 (B) the Committee on Homeland Security 

5 and Governmental Affairs, the Committee on 

6 the Judiciary, the Select Committee on Intel- 

7 ligence, and the Committee on Armed Services 

8 of the Senate. 

9 (2) Cyber threat information, cyber 

10 threat intelligence, cyberse curity crimes, 

11 cybe rse curity provider, cyberse curity pur- 

12 POSE, AND SELF-PROTECTED ENTITY. — The terms 

13 "cyber threat information", "cyber threat intel- 

14 ligence", "cybersecurity crimes", "cyber security pro- 

15 vider", "cybersecurity purpose", and "self-protected 

16 entity" have the meaning given those terms in sec- 

17 tion 1104 of the National Security Act of 1947, as 

18 added by section 3(a) of this Act. 

19 (3) Intelligence community. — The term 

20 "intelligence community" has the meaning given the 

21 term in section 3(4) of the National Security Act of 

22 1947 (50 U.S.C. 401a(4)). 

23 (4) Shared situational awareness. — The 

24 term "shared situational awareness" means an envi- 

25 ronment where cyber threat information is shared in 
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1 real time between all designated Federal cyber oper- 

2 ations centers to provide actionable information 

3 abont all known cyber threats. 

4 SEC. 3. CYBER THREAT INTELLIGENCE AND INFORMATION 

5 SHARING. 

6 (a) In General. — Title XT of the National Security 

7 Act of 1947 (50 U.S.C. 442 et seq.) is amended by adding 

8 at the end the following new section: 

9 "CYBER THREAT INTELLIGENCE AND INFORMATION 

10 SHARING 

11 "Sec. 1104. (a) Intelligence Community Shar- 

12 ing of Cyber Threat Intelligence With Private 

13 Sector and Utilities. — 

14 "(1) In general. — The Director of National 

15 Intelligence shall establish procedures to allow ele- 

16 ments of the intelligence community to share cyber 

17 threat intelligence with private-sector entities and 

18 utilities and to encourage the sharing of such intel- 

19 ligence. 

20 "(2) Sharing and use of classified intel- 

21 ligence. — The procedures established under para- 

22 graph (1) shall provide that classified cyber threat 

23 intelligence may only be — 

24 "(A) shared by an element of the intel- 

25 ligence community with — 

26 "(i) a certified entity; or 
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1 "(ii) a person with an appropriate se- 

2 curity clearance to receive such cyber 

3 threat intelligence; 

4 "(B) shared consistent with the need to 

5 protect the national security of the United 

6 States; 

7 "(C) used by a certified entity in a manner 

8 which protects such cyber threat intelligence 

9 from unauthorized disclosure; and 

10 "(D) used, retained, or further disclosed by 

11 a certified entity for cybersecurity purposes. 

12 "(3) Security clearance approvals. — The 

13 Director of National Intelligence shall issue guide- 

14 lines providing that the head of an element of the 

15 intelligence community may, as the head of such ele- 

16 ment considers necessary to carry out this sub- 

17 section — 

18 "(A) grant a security clearance on a tem- 

19 porary or permanent basis to an employee, 

20 independent contractor, or officer of a certified 

2 1 entity; 

22 "(B) grant a security clearance on a tem- 

23 porary or permanent basis to a certified entity 

24 and approval to use appropriate facilities; and 
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1 "(C) expedite the security clearance proc- 

2 ess for a person or entity as the head of such 

3 element considers necessary, consistent with the 

4 need to protect the national security of the 

5 United States. 

6 "(4) No right OR benefit. — The provision of 

7 information to a private-sector entity or a utility 

8 under this subsection shall not create a right or ben- 

9 efit to similar information by such entity or such 

10 utility or any other private- sector entity or utility. 

11 "(5) Restriction on disclosure of cyber 

12 threat intelligence. — Notwithstanding any 

13 other provision of law, a certified entity receiving 

14 cyber threat intelligence pursuant to this subsection 

15 shall not further disclose such cyber threat intel- 

16 ligence to another entity, other than to a certified 

17 entity or other appropriate agency or department of 

18 the Federal Government authorized to receive such 

19 cyber threat intelligence. 

20 "(b) Use of Cybersecurity Systems and Shar- 

21 ing of Cyber Threat Information. — 

22 "(1) In general. — 

23 "(A) Cybersecurity providers. — Not- 

24 withstanding any other provision of law, a 

25 cybersecurity provider, with the express consent 
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1 of a protected entity for which such 

2 cybersecurity provider is providing goods or 

3 sendees for cybersecurity purposes, may, for 

4 cybersecurity purposes — 

5 "(i) use cybersecurity systems to iden- 

6 tify and obtain cyber threat information to 

7 protect the rights and property of such 

8 protected entity; and 

9 "(ii) share such cyber threat informa- 

10 tion with any other entity designated by 

11 such protected entity, including, if specifi- 

12 cally designated, the entities of the Depart- 

13 ment of Homeland Security and the De- 

14 partment of Justice designated under 

15 paragraphs (1) and (2) of section 2(b) of 

16 the Cyber Intelligence Sharing and Protec- 

17 tion Act. 

18 "(B) Self-protected entities. — Not- 

19 withstanding any other provision of law, a self- 

20 protected entity may, for cybersecurity pur- 

2 1 poses — 

22 "(i) use cybersecurity systems to iden- 

23 tify and obtain cyber threat information to 

24 protect the rights and property of such 

25 self-protected entity; and 
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1 "(ii) share such cyber threat informa- 

2 tion with any other entity, including the 

3 entities of the Department of Homeland 

4 Security and the Department of Justice 

5 designated under paragraphs (1) and (2) 

6 of section 2(b) of the Cyber Intelligence 

7 Sharing and Protection Act. 

8 "(2) Use and protection of informa- 

9 tion. — Cyber threat information shared in accord - 

10 ance with paragraph (1) — 

11 "(A) shall only be shared in accordance 

12 with any restrictions placed on the sharing of 

13 such information by the protected entity or self- 

14 protected entity authorizing such sharing, in- 

15 eluding appropriate anonymization or minimiza- 

16 tion of such information and excluding limiting 

17 a department or agency of the Federal Govern- 

18 ment from sharing such information with an- 

19 other department or agency of the Federal Gov- 

20 ernment in accordance with this section; 

21 "(B) may not be used by an entity to gain 

22 an unfair competitive advantage to the det- 

23 riment of the protected entity or the self-pro- 

24 tected entity authorizing the sharing of infor- 

25 mation; 
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1 "(C) may only be used by a non-Federal 

2 recipient of such information for a cybersecurity 

3 purpose; 

4 "(D) if shared with the Federal Govern - 

5 ment — 

6 "(i) shall be exempt from disclosure 

7 under section 552 of title 5, United States 

8 Code (commonly known as the 'Freedom of 

9 Information Act'); 

10 "(ii) shall be considered proprietary 

11 information and shall not be disclosed to 

12 an entity outside of the Federal Govern- 

13 ment except as authorized by the entity 

14 sharing such information; 

15 "(hi) shall not be used by the Federal 

16 Government for regulatory purposes; 

17 "(iv) shall not be provided to another 

18 department or agency of the Federal Gov- 

19 ernment under paragraph (2) (A) if — 

20 "(I) the entity providing such in- 

21 formation determines that the provi- 

22 sion of such information will under- 

23 mine the purpose for which such in- 

24 formation is shared; or 
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1 


"(II) unless otherwise directed by 


2 


the President, the head of the depart- 


3 


ment or agency of the Federal Gov- 


4 


ernment receiving such cyber threat 


5 


information determines that the provi- 


6 


sion of such information will under- 


7 


mine the purpose for which such in- 


8 


formation is shared; and 


9 


"(v) shall be handled by the Federal 


10 


Government consistent with the need to 


11 


protect sources and methods and the na- 


12 


tional security of the United States; and 


13 


"(E) shall be exempt from disclosure under 


14 


a law or regulation of a State, political subdivi- 


15 


sion of a State, or a tribe that requires public 


16 


disclosure of information by a public or quasi- 


17 


public entity. 


18 


"(3) Exemption from liability. — 


19 


"(A) Exemption. — No civil or criminal 


20 


cause of action shall lie or be maintained in 


21 


Federal or State court against a protected enti- 


22 


ty, self-protected entity, cybersecurity provider, 


23 


or an officer, employee, or agent of a protected 


24 


entity, self-protected entity, or cybersecurity 


25 


provider, acting in good faith — 
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1 "(i) for using cybersecurity systems to 

2 identify or obtain cyber threat information 

3 or for sharing such information in accord- 

4 ance with this section; or 

5 "(ii) for decisions made for 

6 cybersecurity purposes and based on cyber 

7 threat information identified, obtained, or 

8 shared under this section. 

9 "(B) Lack of good faith. — For pur- 

10 poses of the exemption from liability under sub- 

11 paragraph (A), a lack of good faith includes 

12 any act or omission taken with intent to injure, 

13 defraud, or otherwise endanger any individual, 

14 government entity, private entity, or utility. 

15 "(4) Relationship to other laws requir- 

16 ING THE DISCLOSURE OF INFORMATION. — The Sub- 

17 mission of information under this subsection to the 

18 Federal Government shall not satisfy or affect — 

19 "(A) any requirement under any other pro- 

20 vision of law for a person or entity to provide 

21 information to the Federal Government; or 

22 "(B) the applicability of other provisions of 

23 law, including section 552 of title 5, United 

24 States Code (commonly known as the 'Freedom 

25 of Information Act'), with respect to informa- 
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1 tion required to be provided to the Federal Gov- 

2 ernment under such other provision of law. 

3 "(5) Rule of construction. — Nothing in 

4 this subsection shall be construed to provide new au- 

5 thority to — 

6 "(A) a cybersecurity provider to use a 

7 cybersecurity system to identify or obtain cyber 

8 threat information from a system or network 

9 other than a system or network owned or oper- 

10 ated by a protected entity for which such 

11 cybersecurity provider is providing goods or 

12 sendees for cybersecurity purposes; or 

13 "(B) a self-protected entity to use a 

14 cybersecurity system to identify or obtain cyber 

15 threat information from a system or network 

16 other than a system or network owned or oper- 

17 ated by such self-protected entity. 

18 "(c) Federal Government Use of Informa- 

19 TION. — 

20 "(1) Limitation. — The Federal Government 

21 may use cyber threat information shared with the 

22 Federal Government in accordance with subsection 

23 (b)— 

24 "(A) for cybersecurity purposes; 
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1 "(B) for the investigation and prosecution 

2 of cybersecurity crimes; 

3 "(C) for the protection of individuals from 

4 the danger of death or serious bodily harm and 

5 the investigation and prosecution of crimes in- 

6 volving such danger of death or serious bodily 

7 harm; or 

8 "(D) for the protection of minors from 

9 child pornography, any risk of sexual exploi- 

10 tation, and serious threats to the physical safe- 

11 ty of minors, including kidnapping and traf- 

12 ticking and the investigation and prosecution of 

13 crimes involving child pornography, any risk of 

14 sexual exploitation, and serious threats to the 

15 physical safety of minors, including kidnapping 

16 and trafficking, and any crime referred to in 

17 section 2258A(a)(2) of title 18, United States 

18 Code. 

19 "(2) Affirmative search restriction. — 

20 The Federal Government may not affirmatively 

21 search cyber threat information shared with the 

22 Federal Government under subsection (b) for a pur- 

23 pose other than a purpose referred to in paragraph 

24 (1). 
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1 "(3) Anti-tasking restriction. — Nothing in 

2 this section shall be construed to permit the Federal 

3 Government to — 

4 "(A) require a private-sector entity or util- 

5 ity to share information with the Federal Gov- 

6 ernment; or 

7 "(B) condition the sharing of cyber threat 

8 intelligence with a private-sector entity or util- 

9 ity on the provision of cyber threat information 

10 to the Federal Government. 

11 "(4) Protection of sensitive personal 

12 documents. — The Federal Government may not 

13 use the following information, containing informa- 

14 tion that identifies a person, shared with the Federal 

15 Government in accordance with subsection (b): 

16 "(A) Library circulation records. 

17 "(B) Library patron lists. 

18 "(C) Book sales records. 

19 "(D) Book customer lists. 

20 "(E) Firearms sales records. 

21 "(F) Tax return records. 

22 "(G) Educational records. 

23 "(H) Medical records. 

24 "(5) Notification of non-cyber threat in- 

25 formation. — If a department or agency of the Fed- 
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1 eral Government receiving information pursuant to 

2 subsection (b)(1) determines that such information 

3 is not cyber threat information, such department or 

4 agency shall notify the entity or provider sharing 

5 such information pursuant to subsection (b)(1). 

6 "(6) Retention and use of cyber threat 

7 information. — No department or agency of the 

8 Federal Government shall retain or use information 

9 shared pursuant to subsection (b)(1) for any use 

10 other than a use permitted under subsection (c)(1). 

11 "(d) Federal Government Liability for Viola- 

12 tions of Restrictions on the Disclosure, Use, and 

13 Protection of Voluntarily Shared Information. — 

14 "(1) In general. — If a department or agency 

15 of the Federal Government intentionally or willfully 

16 violates subsection (b)(3)(D) or subsection (c) with 

17 respect to the disclosure, use, or protection of volun- 

18 tarily shared cyber threat information shared under 

19 this section, the United States shall be liable to a 

20 person adversely affected by such violation in an 

21 amount equal to the sum of — 

22 "(A) the actual damages sustained by the 

23 person as a result of the violation or $1,000, 

24 whichever is greater; and 
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1 "(B) the costs of the action together with 

2 reasonable attorney fees as determined by the 

3 court. 

4 "(2) Venue. — An action to enforce liability cre- 

5 ated under this subsection may be brought in the 

6 district court of the United States in — 

7 "(A) the district in which the complainant 

8 resides; 

9 "(B) the district in which the principal 

10 place of business of the complainant is located; 

11 "(C) the district in which the department 

12 or agency of the Federal Government that dis- 

13 closed the information is located; or 

14 "(D) the District of Columbia, 

15 "(3) Statute of limitations. — No action 

16 shall lie under this subsection unless such action is 

17 commenced not later than two years after the date 

18 of the violation of subsection (b)(3)(D) or subsection 

19 (c) that is the basis for the action. 

20 "(4) Exclusive cause of action. — A cause 

21 of action under this subsection shall be the exclusive 

22 means available to a complainant seeking a remedy 

23 for a violation of subsection (b)(3)(D) or subsection 

24 (c). 



f:\VHLC\01 071 5\01 071 5.204.xml (58802211 ) 
January 7, 2015 (3:04 p.m.) 



F:\M14\RUPPER\RUPPER_001 .XML 



26 

1 "(e) Federal Preemption. — This section super- 

2 sedes any statute of a State or political subdivision of a 

3 State that restricts or otherwise expressly regulates an ac- 

4 tivity authorized under subsection (b). 

5 "(f) Savings Clauses. — 

6 "(1) Existing authorities. — Nothing in this 

7 section shall be construed to limit any other author- 

8 ity to use a cybersecurity system or to identify, ob- 

9 tain, or share cyber threat intelligence or cyber 

10 threat information. 

11 "(2) Limitation on military and intel- 

12 ligence community involve me nt in private 

13 and public sector cybersecurity efforts. — 

14 Nothing in this section shall be construed to provide 

15 additional authority to, or modify an existing au- 

16 thority of, the Department of Defense or the Na- 

17 tional Security Agency or any other element of the 

18 intelligence community to control, modify, require, 

19 or otherwise direct the cybersecurity efforts of a pri- 

20 vate-sector entity or a component of the Federal 

21 Government or a State, local, or tribal government. 

22 "(3) Information sharing relationships. — 

23 Nothing in this section shall be construed to — 

24 "(A) limit or modify an existing informa- 

25 tion sharing relationship; 
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1 "(B) prohibit a new information sharing 

2 relationship; 

3 "(C) require a new information sharing re- 

4 lationship between the Federal Government and 

5 a private-sector entity or utility; 

6 "(D) modify the authority of a department 

7 or agency of the Federal Government to protect 

8 sources and methods and the national security 

9 of the United States; or 

10 "(E) preclude the Federal Government 

11 from requiring an entity to report significant 

12 cyber incidents if authorized or required to do 

13 so under another provision of law. 

14 "(4) Limitation on federal government 

15 USE OF cyberse CURITY systems. — Nothing in this 

16 section shall be construed to provide additional au- 

17 thority to, or modify an existing authority of, any 

18 entity to use a cybersecurity system owned or con- 

19 trolled by the Federal Government on a private-sec- 

20 tor system or network to protect such private-sector 

21 system or network. 

22 "(5) NO LIABILITY FOR NON-PARTICIPATION. — 

23 Nothing in this section shall be construed to subject 

24 a protected entity, self-protected entity, cyber secu- 

25 rity provider, or an officer, employee, or agent of a 
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1 protected entity, self-protected entity, or 

2 cybersecurity provider, to liability for choosing not to 

3 engage in the voluntary activities authorized under 

4 this section. 

5 "(6) Use and retention of information. — 

6 Nothing in this section shall be construed to author- 

7 ize, or to modify any existing authority of, a depart - 

8 ment or agency of the Federal Government to retain 

9 or use information shared pursuant to subsection 

10 (b)(1) for any use other than a use permitted under 

11 subsection (c)(1). 

12 "(7) Limitation on surveillance. — Nothing 

13 in this section shall be construed to authorize the 

14 Department of Defense or the National Security 

15 Agency or any other element of the intelligence com- 

16 munity to target a United States person for surveil- 

17 lance. 

18 "(g) Definitions. — In this section: 

19 "(1) Availability. — The term 'availability' 

20 means ensuring timely and reliable access to and use 

21 of information. 

22 "(2) Certified entity. — The term 'certified 

23 entity' means a protected entity, self-protected enti- 

24 ty, or cybersecurity provider that — 
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1 "(A) possesses or is eligible to obtain a se- 

2 curity clearance, as determined by the Director 

3 of National Intelligence; and 

4 "(B) is able to demonstrate to the Director 

5 of National Intelligence that such provider or 

6 such entity can appropriately protect classified 

7 cyber threat intelligence. 

8 "(3) Confidentiality. — The term 'confiden- 

9 tiality' means preserving authorized restrictions on 

10 access and disclosure, including means for protecting 

1 1 personal privacy and proprietary information. 

12 "(4) Cyber threat information. — 

13 "(A) In general. — The term 'cyber 

14 threat information' means information directly 

15 pertaining to — 

16 "(i) a vulnerability of a system or net- 

17 work of a government or private entity or 

18 utility; 

19 "(ii) a threat to the integrity, con- 

20 fidentiality, or availability of a system or 

21 network of a government or private entity 

22 or utility or any information stored on, 

23 processed on, or transiting such a system 

24 or network; 
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1 "(iii) efforts to deny access to or de- 

2 grade, disrupt, or destroy a system or net- 

3 work of a government or private entity or 

4 utility; or 

5 "(iv) efforts to gain unauthorized ac- 

6 cess to a system or network of a govern- 

7 ment or private entity or utility, including 

8 to gain such unauthorized access for the 

9 purpose of exfiltrating information stored 

10 on, processed on, or transiting a system or 

11 network of a government or private entity 

12 or utility. 

13 "(B) Exclusion. — Such term does not in- 

14 elude information pertaining to efforts to gain 

15 unauthorized access to a system or network of 

16 a government or private entity or utility that 

17 solely involve violations of consumer terms of 

18 sendee or consumer licensing agreements and 

19 do not otherwise constitute unauthorized access. 

20 "(5) Cyber threat intelligence. — 

21 "(A) In general. — The term 'cyber 

22 threat intelligence' means intelligence in the 

23 possession of an element of the intelligence 

24 community directly pertaining to — 
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1 "(i) a vulnerability of a system or net- 

2 work of a government or private entity or 

3 utility; 

4 "(ii) a threat to the integrity, con- 

5 fidentiality, or availability of a system or 

6 network of a government or private entity 

7 or utility or any information stored on, 

8 processed on, or transiting such a system 

9 or network; 

10 "(hi) efforts to deny access to or de- 
ll grade, disrupt, or destroy a system or net- 

12 work of a government or private entity or 

13 utility; or 

14 "(iv) efforts to gain unauthorized ac- 

15 cess to a system or network of a govern- 

16 ment or private entity or utility, including 

17 to gain such unauthorized access for the 

18 purpose of exfiltrating information stored 

19 on, processed on, or transiting a system or 

20 network of a government or private entity 

21 or utility. 

22 "(B) Exclusion. — Such term does not in- 

23 elude intelligence pertaining to efforts to gain 

24 unauthorized access to a system or network of 

25 a government or private entity or utility that 
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1 solely involve violations of consumer terms of 

2 sendee or consumer licensing agreements and 

3 do not otherwise constitute unauthorized access. 

4 "(6) Cybersecurity crime. — The term 

5 'cybersecurity crime' means — 

6 "(A) a crime under a Federal or State law 

7 that involves — 

8 "(i) efforts to deny access to or de- 

9 grade, disrupt, or destroy a system or net- 

10 work; 

11 "(ii) efforts to gain unauthorized ac- 

12 cess to a system or network; or 

13 "(hi) efforts to exfiltrate information 

14 from a system or network without author- 

15 ization; or 

16 "(B) the violation of a provision of Federal 

17 law relating to computer crimes, including a 

18 violation of any provision of title 18, United 

19 States Code, created or amended by the Com- 

20 puter Fraud and Abuse Act of 1986 (Public 

21 Law 99-474). 

22 "(7) Cybersecurity provider, — The term 

23 'cybersecurity provider' means a non-Federal entity 

24 that provides goods or sendees intended to be used 

25 for cybersecurity purposes. 
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1 "(8) Cybersecurity purpose. — 

2 "(A) In general. — The term 

3 'cybersecurity purpose' means the purpose of 

4 ensuring the integrity, confidentiality, or avail- 

5 ability of, or safeguarding, a system or network, 

6 including protecting a system or network 

7 from — 

8 "(i) a vulnerability of a system or net- 

9 work; 

10 "(ii) a threat to the integrity, con- 

11 fidentiality, or availability of a system or 

12 network or any information stored on, 

13 processed on, or transiting such a system 

14 or network; 

15 "(iii) efforts to deny access to or de- 

16 grade, disrupt, or destroy a system or net- 

17 work; or 

18 "(iv) efforts to gain unauthorized ac- 

19 cess to a system or network, including to 

20 gain such unauthorized access for the pur- 

21 pose of exfiltrating information stored on, 

22 processed on, or transiting a system or 

23 network. 

24 "(B) Exclusion. — Such term does not in- 

25 elude the purpose of protecting a system or net- 
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1 work from efforts to gain unauthorized access 

2 to such system or network that solely involve 

3 violations of consumer terms of sendee or con- 

4 sumer licensing agreements and do not other- 

5 wise constitute unauthorized access. 

6 "(9) Cybersecurity system. — 

7 "(A) In general. — The term 

8 'cybersecurity system' means a system designed 

9 or employed to ensure the integrity, confiden- 

10 tiality, or availability of, or safeguard, a system 

11 or network, including protecting a system or 

12 network from — 

13 "(i) a vulnerability of a system or net- 

14 work; 

15 "(ii) a threat to the integrity, con- 

16 fidentiality, or availability of a system or 

17 network or any information stored on, 

18 processed on, or transiting such a system 

19 or network; 

20 "(hi) efforts to deny access to or de- 

21 grade, disrupt, or destroy a system or net- 

22 work; or 

23 "(iv) efforts to gain unauthorized ac- 

24 cess to a system or network, including to 

25 gain such unauthorized access for the pur- 
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1 pose of exfiltrating information stored on, 

2 processed on, or transiting a system or 

3 network. 

4 "(B) Exclusion. — Such term does not in- 

5 elude a system designed or employed to protect 

6 a system or network from efforts to gain unau- 

7 thorized access to such system or network that 

8 solely involve violations of consumer terms of 

9 sendee or consumer licensing agreements and 

10 do not otherwise constitute unauthorized access. 

11 "(10) Integrity. — The term 'integrity' means 

12 guarding against improper information modification 

13 or destruction, including ensuring information non- 
14 repudiation and authenticity. 

15 "(11) Protected entity. — The term 'pro- 

16 tected entity' means an entity, other than an indi- 

17 vidua!, that contracts with a cybersecurity provider 

18 for goods or sendees to be used for cybersecurity 

19 purposes. 

20 "(12) Self-protected entity. — The term 

21 'self-protected entity' means an entity, other than an 

22 individual, that provides goods or sendees for 

23 cybersecurity purposes to itself. 

24 "(13) Utility. — The term 'utility' means an 

25 entity providing essential services (other than law 
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1 enforcement or regulatory sendees), including elec- 

2 tricity, natural gas, propane, telecommunications, 

3 transportation, water, or wastewater services.". 

4 (b) Procedures and Guidelines. — The Director 

5 of National Intelligence shall — 

6 (1) not later than 60 days after the date of the 

7 enactment of this Act, establish procedures under 

8 paragraph (1) of section 1104(a) of the National Se- 

9 curity Act of 1947, as added by subsection (a) of 

10 this section, and issue guidelines under paragraph 

11 (3) of such section 1104(a); 

12 (2) in establishing such procedures and issuing 

13 such guidelines, consult with the Secretary of Home- 

14 land Security to ensure that such procedures and 

15 such guidelines permit the owners and operators of 

16 critical infrastructure to receive all appropriate cyber 

17 threat intelligence (as defined in section 1104(h)(5) 

18 of such Act, as added by subsection (a)) in the pos- 

19 session of the Federal Government; and 

20 (3) following the establishment of such proce- 

21 dures and the issuance of such guidelines, expedi- 

22 tiously distribute such procedures and such guide- 

23 lines to appropriate departments and agencies of the 

24 Federal Government, private-sector entities, and 
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1 utilities (as defined in section 1104(h)(13) of such 

2 Act, as added by subsection (a)). 

3 (c) Privacy and Civil Liberties Policies and 

4 Procedures. — Not later than 60 days after the date of 

5 the enactment of this Act, the Director of National Intel- 

6 ligence, in consultation with the Secretary of Homeland 

7 Security and the Attorney General, shall establish the poli- 

8 cies and procedures required under section 1104(c)(7)(A) 

9 of the National Security Act of 1947, as added by sub- 

10 section (a) of this section. 

1 1 (d) Initl4L Reports. — The first reports required to 

12 be submitted under paragraphs (1) and (2) of subsection 

13 (e) of section 1104 of the National Security Act of 1947, 

14 as added by subsection (a) of this section, shall be sub- 

15 mitted not later than 1 year after the date of the enact- 

16 ment of this Act. 

17 (e) Table of Contents Amendment. — The table 

18 of contents in the first section of the National Security 

19 Act of 1947 is amended by adding at the end the following 

20 new item: 

"Sec. 1104. Cyber threat intelligence and information sharing.". 

21 SEC. 4. SUNSET. 

22 Effective on the date that is 5 years after the date 

23 of the enactment of this Act — 
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1 (1) section 1104 of the National Security Act of 

2 1947, as added by section 2(a) of this Act, is re- 

3 pealed; and 

4 (2) the table of contents in the first section of 

5 the National Security Act of 1947, as amended by 

6 section 2(d) of this Act, is amended by striking the 

7 item relating to section 1104, as added by such sec- 

8 tion 2(d). 

9 SEC. 5. SENSE OF CONGRESS ON INTERNATIONAL CO- 

10 OPERATION. 

11 It is the sense of Congress that international coopera- 



12 tion with regard to cybersecurity should be encouraged 

13 wherever possible under this Act and the amendments 

14 made by this Act. 

15 SEC. 6. RULE OF CONSTRUCTION RELATING TO CONSUMER 

16 DATA. 

17 Nothing in this Act or the amendments made by this 

18 Act shall be construed to provide new or alter any existing 

19 authority for an entity to sell personal information of a 

20 consumer to another entity for marketing purposes. 
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1 SEC. 7. SAVINGS CLAUSE WITH REGARD TO 

2 CYBERSECURITY PROVIDER OBLIGATION TO 

3 REPORT CYBER THREAT INCIDENT INFORMA- 

4 TION TO FEDERAL GOVERNMENT. 

5 Nothing in this Act or the amendments made by this 

6 Act shall be construed to provide authority to a depart- 

7 ment or agency of the Federal Government to require a 

8 cybersecurity provider that has contracted with the Fed- 

9 eral Government to provide information services to provide 

10 information about cybersecurity incidents that do not pose 

11 a threat to the Federal Government's information. 
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